Vol. 41No. 4

As nations worldwide seek to protect individuals’ personal data from collection and use by private and public entities, varying legal approaches and frameworks have emerged. Spain and the countries of Latin America have developed diverse approaches based on constitutional rights, European Union data-protection laws, or a blend of both.

Spanish and Latin American approaches to personal data protection are rooted in the European concept of personal privacy rights that have developed throughout Europe for several decades and have culminated via regional integration in adoption of the European Data Protection Directive (the “Directive”) in 1995. The Directive requires EU member states such as Spain to transpose principles of the Directive into national law and establishes definitions and legal concepts that have been adopted by several Latin American nations.

The Directive establishes a data protection framework through its key definitions. “Personal data” is defined as “any information relating to an identified or identifiable natural person (‘data subject’).” Such data are deemed to be “processed” via “any operation or set of operations which is performed upon personal data.” The term “controller” refers to any entity that determines the purposes and means of the processing of personal data. The controller, in turn, is governed by a data protection authority charged with ensuring compliance with data protection laws.

Under the Directive, the individual possesses the right to be informed when personal data are being processed and to provide personal consent for such use. Personal data processing is authorized under several circumstances, such as when necessary for contractual performance or compliance with a legal obligation and when necessary to protect the vital interests of the individual or the public interest. Personal data processing may be performed only for specified, explicit, and legitimate purposes and only to the extent that it is adequate, relevant, and not excessive in relation to the expressed purposes of such processing.

EU member states must each establish an authority to: (1) authorize and supervise personal data processing activities, (2) enforce compliance, and (3) impose sanctions or penalties for violations. If personal data are transferred to third countries outside the EU, the Directive requires that such countries provide “adequate protection” of personal data in order for cross-border data transfers to be authorized.

In January 2012, the EU issued a revised draft European Data Protection Regulation for consideration by EU member states. New proposals include: (1) applicability of EU data protection regulations to non-EU businesses and entities, even those outside of the EU, provided that processing of data is directed at EU residents; (2) adoption of an explicit “opt-in” model for personal data processing; (3) a “right of portability” of personal data and the “right to be forgotten,” which will allow individuals to wipe their online personal history clean; (4) notification of personal data breaches within 24 hours to EU authorities and affected individuals; and (5) potential imposition of fines of up to two percent of a company’s worldwide turnover in the event of severe data protection breaches. As EU nations consider and adopt some or all of the proposed changes to the Directive, Latin American countries may follow suit and amend their laws as well.

Spain

Spain’s data protection framework is based on constitutional privacy rights and personal data protections afforded by its Data Protection Law. This law incorporates the Directive and provides for the right of access to one’s personal information, a consent requirement for use of personal data, and the correction or “cancellation” of personal information that is incorrect or incomplete. The law creates a Data Protection Authority (“SDPA”) charged with: (1) issuing authorizations to process personal data, (2) ensuring compliance with the Data Protection Law, (3) addressing individuals’ complaints, (4) educating the public about personal data protection rights, (5) imposing penalties for violations of the law, (6) publicizing the existence of personal data files, (7) preparing annual reports to the Ministry of Justice, (8) monitoring and adopting authorizations for international transfer of data and cooperating with international entities as to personal data protection, and (9) ensuring compliance with provisions relating to collection of statistical data.

The SDPA may issue fines for violation of the law. For example, it has imposed a €30,001 fine on a law firm for sending unsolicited commercial messages to an individual after the individual had requested his name be removed from the firm’s mailing list. The SDPA also ordered a user-message-board host to remove an individual’s data, despite the host’s argument that it was not responsible for the data, as the material in question had been posted by site users.

In 2011, the SDPA initiated its first “right to be forgotten” case against Google in response to complaints from citizens who objected to the availability via Google Search of information published decades ago about them, and it ordered Google to remove links to the information at issue. Google is challenging the orders and the matter remains pending in the courts.

Spain’s National Court also filed a formal request in March 2012 with the European Court of Justice, Europe’s highest court, to clarify jurisdiction over individual privacy complaints against Google and other Web search companies. The SDPA wants all such grievances to be filed in Spain, arguing that Google is subject to EU law, and has continued its litigation against Google in Spanish courts, seeking deletion of links to personal content after complaints by Spanish citizens. Google, on the other hand, insists that all privacy complaints against it be filed in California, where Google is headquartered.

Personal Data Protection Frameworks in Latin America

Personal data protection frameworks in Latin America vary considerably and consist of (1) reliance on habeas data, a constitutional right to “informational self-determination,” which is defined as the right of each individual to protect himself or herself against both public and private entities that seek to collect and process data about the individual; (2) data protection laws; (3) “dual-approach” systems incorporating both habeas data and omnibus data protection laws; or (4) no comprehensive data protection or habeas data rights.

Brazil, Colombia, Paraguay, Peru, Argentina, Ecuador, Panama, and Honduras have all adopted habeas data as a constitutional right. The right authorizes individuals to file complaints with the Constitutional Court against any entity possessing a database to determine what information is held about his or her person and to request correction, disclosure (to the citizen), or destruction of the personal data.

However, habeas data has had limited practical value to individuals, as it is an after-the-fact remedy and does not establish a data protection authority or data protection standards for entities. The remedy is also burdensome to individuals, as it requires an application to judicial authorities, resulting in the substantial costs of initiating, maintaining, presenting, and proving such a claim.

Several Latin American countries have enacted data protection laws based on the 1995 EU Directive. In 2000, Argentina adopted a Personal Data Protection Act and created a data protection enforcement authority. The Act provides general principles of data protection, rights of data holders, sanctions for violations, and rules as to personal data protection actions. Argentina is the only Latin American country to have attained “adequate protection” status pursuant to the EU Directive.

Uruguay passed its data protection law in 2008, established an enforcement entity, and issued data protection regulations in 2009 that included data-breach-notification requirements while maintaining a supplemental habeas data mechanism. Uruguay awaits “adequate protection” status from the EU, which is still pending.

Mexico also enacted a data protection law consistent with a constitutionally protected right to protect information pertaining to private personal data. Regulations took effect in December 2011 and are enforced by a new data protection authority. Like the EU Directive, this law restricts the collection, use, and disclosure of personal data. Entities processing personal data must notify individuals of processing activities and significant security breaches. Violations of the law can trigger fines of up to $1.5 million for serious infractions, as well as imprisonment.

In 2011, Peru enacted its personal data protection law. It addresses such personal data protection rights as consent, proportionality, security, enforcement, and adequate protection of cross-border data transfers. Other rights include access, correction and cancellation or elimination of personal data, and compensation for statutory violations. The statute is enforced by a data protection authority.

Costa Rica enacted its personal data protection law in September 2011, formalizing habeas data rights and incorporating EU Directive principles. Notice and consent requirements have been established, as have limits on data transfers and appropriate security measures protecting against unauthorized use, access, disclosure, and destruction of personal data.

In 2011, Colombia’s Constitutional Court approved a data protection law that closely tracks the European Directive, including provisions regarding consent, assurance of access rights, and restriction of cross-border transfers of personal data to countries lacking adequate personal data protection laws under limited circumstances.

Other Personal Data Protection Laws: Brazil, Chile, Paraguay

Several Latin American countries are considering new data protection legislation. Brazil currently has a data protection bill before its Congress based on the EU Directive. It includes basic personal data rights such as right of access, correction or deletion of personal data, compensation for unauthorized use of personal data, and data-breach-notification requirements.

Chile recognizes privacy rights in its constitution, and it enacted a data protection law in 1999, although its law neither creates a data protection authority nor restricts personal data transfers to third countries. The law addresses the processing and use of personal data in the public and private sectors; it recognizes such rights as access and correction of personal data and authorizes fines for denial of such rights. Chile is a party to an agreement with the EU to increase levels of data protection, suggesting that Chile may eventually adopt a data protection framework with a data protection authority.

As explained above, Paraguay’s Constitution recognizes the right of habeas data, and its personal data protection law, enacted in 2002, regulates the collection, storage, distribution, publication, and modification of personal data contained in public or private databases. However, no data protection authority was created by the law, and individuals are therefore required to file individual complaints with the courts.

Enforcement Challenges and Regional Initiative

As discussed above, data protection laws are a recent legal development in Latin America, with full implementation still underway. Several enforcement challenges will impact Latin American countries: (1) limited budgets and limited regional experience in data protection enforcement, (2) a need for technical expertise in data security or privacy protection, (3) public distrust of government oversight and enforcement, (4) corruption issues, and (5) lack of public awareness of personal data rights. Currently, education and awareness are likely to be the primary activities of data protection authorities. However, if enforcement actions against allegedly noncompliant foreign entities receive political support and/or trigger incentives to create revenue for governments, a shift toward increased enforcement may occur.

Despite such challenges, a regional cooperative initiative is underway, the Ibero-American Network of Data Protection (“RIPD”), created in 2003 to exchange information and promote collaboration on personal data protection matters. Almost every Latin American country participates in the network, which analyzes and shares information regarding such issues as personal data of minors, health information, financial information, Internet communications, cross-border transfers of personal data, data security and privacy, and European “adequate protection” standards.

Latin American data protection frameworks will continue to evolve over the next several years. As a key trading partner with most of Latin America, the United States (and U.S.-based entities) must be aware of such developments in order to minimize risks and maximize the opportunities of regional and economic harmonization with its hemispheric neighbors.